Azure B2C - Custom Policy - Password Change

Question

I have a B2C tenant setup using the oob sign-up/sign-in user flow working fine. I have also implemented a custom policy to allow the user to change their password when they are already signed in to our application according to this article.

When testing, if I directly navigate to the custom policy endpoint, it first prompts me to sign-in and then takes me to the password change form which works fine. However, in our case since the user is already signed in to our application, we would like to bypass the sign-in form and take the user directly to the password change form. According to this article I can remove the prompt=login in the url and it should bypass the sign-in form if the user is already signed in.

To test this, I first login to my app using the signup/signin user flow and then invoke the custom policy url in the same browser tab session without the prompt=login. It does take me directly to the password change form, however, I get the following error when I try to change the password:

Invalid username or password

I have confirmed that I am entering the correct current password. How can I troubleshoot this and where might the issue be?

Thanks, Param

Answer 1

This is typical of incorrect setup of custom policies.

Delete the two app registrations: ProxyIEF and IEF apps.

Run the tool to set it up for you: https://aka.ms/iefsetup.

Test sign in works with the custom policy.

Then follow the document you linked again to setup the password change flow. You can download the polices back from the Portal to work with.